As Quality Manager in the fertility industry, it seemed natural – back in 2017, to take on the responsibility to implement the General Data Protection Regulation/GDPR across the organization (ISO 2700X) and to act as Data Protection Officer/DPO (DK, UK and DE).
Focusing on legal requirements, company processes, IT-security and employee behavior, this included close cooperation with national supervisory authorities, preparation of policies and SOPs etc., management of data subject requests, data breaches, third country transfers and data processors, digitisation and automation of processes – as well as training/audit of internal/external stakeholders.
As a result of managing many types of data subjects and processing large amounts of special categories of personal data, I prepared risk assessments of core activities and helped introduce appropriate technical and organizational measures to reduce identified risks.
I hold a number of certificates in data protection law (e.g. GDPR Master Class) and have worked closely with personal data specialists in law firms such as Bech-Bruun, Accura and Plesner. In addition, I am a member of the Danish DPO Society and continuously take part in various network meetings, webinars and other activities.
With reference to the data protection legislation, information security standards/guidelines etc., LHR Consult offers the following services:
- Implementation of ISMS/GDPR compliance-package (ISO 2700X/27701/29100, COBIT etc.).
- Providing legal advice and consultation on data protection, the GDPR, special law/lex specialis (business law, tax law, employment law, health law etc.), information-/IT- and cyber security, ePrivacy, data ethics etc. (national Data Protection Agencies, EDPB, Agency for Digitisation, CFCS, ENISA, NIST, ISF etc.).
- Acting as Data Protection Officer/DPO (GDPR Art 37).
- Mapping of data/dataflows, systems, processes, responsibilities, risks, quality controls and -indicators etc.
- Preparation of Record of Processing Activities.
- Risk management, preparation of Data Protection Impact Assessment (DPIA), other risk assessments, risk minimization etc. (e.g. EU/GxP, ICH, ISO 27005/31000).
- Identification and management of challenges and opportunities incl. optimization of GDPR-processes – e.g. digital solutions/automation processes (compliance software etc.).
- Assessment/audit of data processors, preparation of Data Processing Agreements, assessment of assurance reports (e.g. ISAE 3000/3402, SOC 1/2) etc.
- Management of data subject rights (withdrawal of consent, erasure/backup issues etc.), requests, complaints etc.
- Management of third-country transfers, SCCs, cloud service-issues, supplementary measures etc.
- Management of data breaches – assessment/root cause analysis, reporting, corrective/preventive actions (CAPAs), trend analyses etc.
- Training/awareness activities and mentoring of employees (management of personal data, IT/cyber security etc.).
- Preparation, execution and hosting of- as well as follow up on internal/external audits (data processors etc.) and government inspections (e.g. ISO 2700X).
- Other GDPR activities (related to marketing, data retention, scientific research, statistics etc.).
- Liaising and sparring with national/international supervisory authorities (registrations, applications, reporting, complaints etc.).